In the era before cloud computing, enterprises could expect to be responsible for securing everything — the systems in the data center, their applications, everything. Today, cloud service providers are ready, willing and able to take some of that burden off of their customers. Just how much, however, depends on the service.
Delineating where security obligations start and end for cloud service providers and their customers is the goal of the shared responsibility model. Venturing into the cloud without an understanding of what needs to be secured increases risk and potentially opens the door to attackers through unpatched systems, poor access controls and other vulnerabilities.
Knowing Your Role in the Cloud
Unfortunately, research has shown that understanding their role in securing the cloud is frequently a pain point for businesses. In a report earlier this year from Oracle and KPMG, only 8% of the IT executives and cybersecurity professionals surveyed said they fully understand the shared responsibility security model across all types of cloud services. At the same time, many of those in the survey reported widespread use of SaaS, platform as a service (PaaS) and infrastructure as a service (IaaS) in their organization.
Taking a look at each service model, we can see the differences. IaaS providers are typically responsible for protecting everything from the hardware to the hypervisor. The guest operating system is the province of the customer, as is their data and the software stack needed to run their applications. SaaS providers, on the other hand, are commonly responsible for managing an application and attendant infrastructure, with customers retaining responsibility for securing their data. PaaS is the middle ground between the two. In that model, customers generally focus on their users, applications, and data while the cloud service provider secures the underlying infrastructure.
Adding another wrinkle to their conversation is the growing adoption of functions as a service (FaaS) and containers as a service (CaaS). FaaS is a form of serverless computing where the cloud service provider runs the server, removing the need for the customer to maintain the infrastructure associated with developing and deploying an application. CaaS, meanwhile, allows users to manage and deploy containerized applications and clusters.
No matter which approach companies take in regard to the cloud, maintaining sufficient standards for security and compliance is a must. While the shared responsibility model outlines what the vendor and the customer are responsible for, the specific approach or features that vendors use can vary. As a result, customers should evaluate whether their cloud providers demonstrate a strong commitment to security and compliance and are able to help them meet their needs. Customers must remain vigilant in how they configure and secure their users and access, and utilize controls like encryption as appropriate.
Misconfigurations are one of the most common consequences of misunderstanding where a cloud provider’s duties start and stop. Recent history is filled with tales of misconfigured AWS S3 buckets and other stories where organizations migrated workloads to the cloud and assumed they were safe without taking proper precautions. Even in situations where the security configuration and access policies are well thought-out at the time the service is purchased, configurations may change as the needs of the business change. If these changes are not closely monitored, enterprises can leave themselves open to attacks and data leaks.
Meeting the Challenge
The answer to this problem is to combine comprehensive visibility and automated security. Catching misconfigurations in the cloud is critical but is complicated by the sheer number of cloud instances in corporate environments and the ease by which misconfigurations can be introduced via infrastructure-as-code (IaC) templates. To support DevOps, organizations need the ability to identify and correct any mistakes as quickly as possible. Enter cloud security posture management solutions like CrowdStrike Falcon Horizon™ CSPM, which provides visibility across multiple environments and reduces alert fatigue for security operations centers.
CrowdStrike offers visibility into cloud workload events and instance metadata to provide detection, response and proactive threat hunting and investigation via our market-leading Falcon Cloud Workload Protection solution. This extends to delivering real-time information about workloads, such as metadata about system size and configuration, networking, and security group information for AWS, Google Cloud Platform and Microsoft Azure. It extends to containers as well, providing protection without compromising performance. With a cloud-native security platform, organizations can unify the security capabilities they need in a single platform, as opposed to relying on point solutions and adding more complexity to the job of protecting cloud environments.
With cloud driving digital transformation, securing cloud environments is securing the potential for growth. However, leveraging a cloud service without first understanding the security and compliance implications for your organization is a recipe for failure. Starting with the planning process, enterprises that collaborate with their chosen vendor to understand what they are responsible for and how the service provider’s capabilities will help them use the cloud securely.